The FIDO2 protocol is a cryptographic protocol for securely authenticating in web applications without passwords but with hardware tokens containing cryptographic credentials that cannot be easily replaced. Its purpose is to reduce the burden and risk for regular users of finding a password that is strong enough, remembering it (no post-its please!), and updating it regularly. You might have come across the FIDO protocol as an addition to passwords as a second- or multi-factor authentication mechanism, or in your browser or your phone in the form of passkeys.
In order to provide secure authentication, the FIDO2 protocol runs cryptographic primitives in secure devices (such as smartphones or dedicated USB or NFC hardware tokens). At a high level, the FIDO2 protocol is run between a user and a web service where they want to authenticate via a browser used to access the website, and the token/authenticator that contains cryptographic credentials used to log in. The FIDO2 protocol is divided into two sub-protocols: ‘WebAuthn’ — the sub-protocol run between the user, authenticator, browser and web service in order to let the user authenticate into the web service with the hardware token (instead of or in addition to a password), and ‘CTAP’ — the sub-protocol run between the hardware token and the browser to make sure only a trusted browser trusted can communicate directly with the token.
In our presentation we will explain our end-to-end post-quantum secure implementation of the FIDO2 protocol, which we have recently open-sourced. We will explain that our FIDO2 implementation is ‘post-quantum secure’ as it replaces or adjusts all the cryptographic primitives in use (like digital signature schemes and key encapsulation mechanisms) to be quantum secure. More concretely, this means that the quantum-secure signature scheme CRYSTALS-Dilithium3 and the key encapsulation mechanism CRYSTALS-Kyber768 (being standardized as ML-DSA and ML-KEM respectively) are used in WebAuthn and CTAP, respectively. Furthermore, we will detail that our implementation is ‘end-to-end post-quantum secure’ as it ensures that the entire protocol flow between web service, web browser and hardware token is post-quantum secure. As we use and extend several open-source libraries. We will explain how these libraries contribute to the resulting implementation and why we chose them.
The aim of this open-source project is to provide a complete implementation that allows post-quantum secure end-to-end registration and authentication in all steps of the protocol and all involved parties, to give developers a starting point to experiment and test the viability of post-quantum cryptography in current hardware devices providing FIDO2 authentication.